tequilaOS/platform_device_qcom_sepolicy-legacy-um
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_device_qcom_sepoli.../legacy/vendor/common/fstman.te
Lior David ae8b742840 sepolicy: add wigig and FST rules 
This is a cumulative patch which adds rules needed
for wigig and FST, including cleanup of rules that
are no longer needed, and adjustments for new sepolicy
restrictions.

Based on these changes:
1) sepolicy: Add policies for FST manager service

Add SE policies for FST Manager daemon required for
fast-session-transfer feature.

Change-Id: I3750d298c33e9f70e51545a678502b6d7dd0b0e6

2) sepolicy: allow fstman write permissions to wifi directory

FST Manager needs write permissions to wifi directory for supporting
whitelist of rate upgrate interface (wlan1)

Change-Id: I564e7da6118e17f7487242c55b0373dab8d12578

3) sepolicy: support wigig services

For managing the wigig network, define wigig services as
system service and allow access to wpa_wigig0 control socket.

wigig supplicant creates sockets under /data/misc/wifi/wigig_sockets.

CRs-Fixed: 997409
Change-Id: I8113892b7fdbf1a4f7dd4b9c7cf490264952fe69

4) sepolicy: Update policies for FST

Recent android changes removed permission for
systemserver and netd to read system properties.

Added such support as it is needed for fst feature

Change-Id: I045b7115f9a6ba5c03f7f8e510a29e847a534686
CRs-Fixed: 1028134

5) sepolicy: support wigig services and fast session transfer

Add rules for allowing wigig framework and FST to work.
Includes:
- communication between wigig framework and wigig HAL service
- permissions for wigig HAL service
- file/socket permissions for fstman daemon
- permissions for WIFI framework to operate FST.

Change-Id: Ibf0970aa0f06fac1dab4d8a2b31a9f0fc4ab3a6e

6) sepolicy: support FST in SoftAP mode

Add rules needed for supporting FST in SoftAP mode:
- Extend the wifi_vendor_hostapd_socket file definition to include
  the hostapd global socket.
- Allow hostapd to send messages back to fstman event socket
- Allow fstman to communicate with hostapd global socket.

Change-Id: Ifbf38e24ff9e0834ef3f3dd8cf70d4e5ce1af4d1

7) sepolicy: add rules for wigig network performance tuner(npt)

Add rules needed to support the wigig network performance tuner.
The npt is a standalone service which provides the ability to
tune network stack parameters. It can accumulate tuning requests
from multiple clients and merge requests.
The npt provides an hwbinder service used by wigig framework
(hosted inside system_server).
The npt also listens on a unix socket, this is used by vendor
components for backward compatibility with previous implementation.

Change-Id: Iaabb4c13519c14b0e79631c7eaed7e53a1076063

8) sepolicy: add permissions to access wigig's snr_thresh sysfs

Part of FST functionality, fstman needs to access snr_thresh sysfs.

Change-Id: Ie10778c0c4b874b2ea8467f2deac26ae7d776bdc

9) sepolicy: fix hostapd rules for FST

FST was broken by commit 3e2b4523e6
("sepolicy: Adding rule for cnd"). Object was changed from
wifi_vendor_wpa_socket to wpa_socket. However wifi_vendor_wpa_socket
provides access to /data/vendor/wifi/sockets where wpa_socket
provides access to /data/misc/wifi/sockets.

Change-Id: Ia70999c3aedc4e073bfcc2ac72bde83d5b521aa4

10) sepolicy: move definitions of wigig services

Move the definitions of wigig services from common
to private, otherwise they do not work in newer version
of Android.

Change-Id: Ia4d0770314706b97ee0fea8f36fe920f0d7103cf

11) sepolicy: remove duplicate definitions of wigig and wigigp2p

wigig and wigigp2p service definitions were duplicated in
common/service_contexts and private/service_contexts,
it caused problems with OTA build.

Change-Id: Ifaeb9ffdf65be44de3ef8d15c323e436b5e04d9f

12) sepolicy: add rules for on-demand insmod/rmmod of wigig driver

Add rules to allow wigig HAL service to insmod/rmmod the wigig module,
similar to the WIFI HAL. This is needed because the wigig chip
leaks power while wigig driver is loaded, so the driver must be
unloaded when wigig framework is disabled.

Change-Id: Id96f50020b3e7028b2c6bdd319383879565087c6

13) sepolicy: fixes for wigig SoftAP (hostapd)

Added some fixes to get wigig SoftAP working.
In recent version of Android hostapd now has its own HAL domain.
Update hostapd rules to refer to this new domain.

Also, there are few small updates to refer to proper types for
vendor files and sockets.

Change-Id: If53a3674312f5a008984eb7ff2aa6026dcdf0af7

14) sepolicy: FST fixes

1. Restore access to hostapd global socket from fstman.
2. fstman now generates its configuration (fstman.ini) based
on system properties, so it needs read access to these.
3. wpa_supplicant global socket moved to vendor_wpa_wlan0,
so fstman (and other vendor services) can access it.

Change-Id: I099d7f3b187989c26666b93288b1693f5db20bec

15) sepolicy: allow platform_app to read wigig properties

WigigSettings application needs to read wigig system property.

Change-Id: Ic5e28b454bfa261b4cbd91dc76b7e2267e1acb74

16) sepolicy: fix wigignpt access to network parameters

Add rule to fix problem with accessing sysfs network
parameters on recent android versions.
Based on this audit log:
avc: denied { search } for pid=1024 comm="wigignpt" name="net" dev="sysfs" ino=41025 scontext=u:r:wigignpt:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

CRs-Fixed: 2217480
Change-Id: Ifdb8b794a4a310c1548743cc19df77d7eb0d302b

Change-Id: I0c847447acf3ffd7903a62e0139e69308dca851f
2019-04-03 01:43:17 +03:00

69 lines
3.4 KiB
Text
Raw Blame History

# Copyright (c) 2015,2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type fstman, domain;
type fstman_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(fstman)
net_domain(fstman)
# fstman requires special network privileges.
# access traffic control (TC) for marking packets to identify from
# which slave interface they arrive, drop multicast packets and
# duplicate packets. This requires the net_raw capability.
# network admin operations mainly on the bonding driver:
# interface up/down, add/remove slave interfaces, set queue parameters
# This requires the net_admin capability.
allow fstman self:capability { net_admin net_raw };
# netlink socket is used to access traffic control (TC)
allow fstman self:netlink_route_socket nlmsg_write;
# allow privileged socket operations: interface up/down, bond interface management
allowxperm fstman self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS SIOCSIFTXQLEN SIOCBONDENSLAVE SIOCBONDRELEASE SIOCETHTOOL};
# need access to bond0 sysfs in order to manage attached interfaces
allow fstman sysfs_net:dir r_dir_perms;
allow fstman sysfs_bond0:file rw_file_perms;
# need access to wigig sysfs in order to control fst_link_loss
allow fstman sysfs_wigig:file rw_file_perms;
# create/read fstman configuration file (/data/vendor/wifi/fstman.ini)
r_dir_file(fstman, wifi_vendor_data_file)
allow fstman wifi_vendor_data_file:dir rw_dir_perms;
allow fstman wifi_vendor_data_file:file create_file_perms;
# fstman needs to communicate with wpa_supplicant and hostapd using socket
# for managing FST state
allow fstman { hal_wifi_supplicant hal_wifi_hostapd_default }:unix_dgram_socket sendto;
# supplicant interface sockets
allow fstman wifi_vendor_wpa_socket:dir rw_dir_perms;
allow fstman wifi_vendor_wpa_socket:sock_file create_file_perms;
# hostapd global socket
allow fstman hostapd_data_file:dir rw_dir_perms;
allow fstman hostapd_data_file:sock_file create_file_perms;
Reference in a new issue View git blame Copy permalink